Google has officially confirmed a cyberattack on one of its Salesforce systems, exposing contact data of small and medium businesses. The breach, though brief, was carried out by a cybercriminal group known as UNC6040, which tricked employees into granting access using a method called vishing, or voice phishing. This technique involves impersonating IT support personnel over the phone, manipulating employees to unknowingly authorise malicious software.
The attackers convincingly posed as internal tech support during calls and persuaded staff members to install a compromised tool that mimicked Salesforce’s legitimate environment. Once granted access, the hackers extracted basic business contact details. Google reassured that most of this information was already publicly available and that the breach was promptly detected and halted before deeper damage could occur.
UNC6040 is a known player in targeting Salesforce platforms. Historically, they abused official tools like Salesforce’s “Data Loader” app, which allows bulk data transfers. More recently, they’ve begun deploying fake applications with deceptive names such as “My Ticket Portal” to evade detection. These apps appear authentic to employees but serve as entry points for malicious activity.
In a concerning development, UNC6040 has shifted tactics by using custom-built Python scripts instead of standard Salesforce tools. This change makes their actions harder to track and block. Additionally, their use of VPNs and the TOR network allows them to remain anonymous, masking their origin and identity while operating from the dark web.
Following the breach, another group identified as UNC6240 has taken over the extortion efforts. Employees at affected companies have been contacted directly via email and phone calls demanding bitcoin payments within a 72-hour deadline. These threats are often attributed to the infamous hacker collective known as “ShinyHunters,” adding pressure and fear to the breach aftermath. Cybersecurity experts believe that a leak site may soon go live, where these criminals plan to publicly release the stolen data if their demands are not met.
Google’s security team underlines that this breach did not exploit any specific vulnerability within Salesforce software. Instead, it stemmed entirely from human error—highlighting the need for companies to re-evaluate and strengthen their internal cybersecurity training and response protocols. Businesses are being urged to implement stricter access controls, reduce permissions for sensitive tools, limit software installations, and continuously educate employees about social engineering attacks.
This incident serves as another critical reminder that in today’s digital world, the weakest link is often not the software, but the people who use it.